Questions on Information Security Stack Exchange are expected to relate to Information security within the scope defined by the community. Consider editing the question or leaving comments for improvement if you believe the question can be reworded to fit within the scope. Read more about reopening questions here.
If this question can be reworded to fit the rules in the help center, please edit the question.

2

This site is for security questions, so if you don't care about the security aspects, or don't want to disclose the steps you're using for security (as suggested in your other comments below), then it doesn't seem like this question would be on-topic. You might want to try a bluetooth-related site. If you think it is on-topic, please edit it and cover the background material suggested in the faq.
–
nealmcbJun 6 '11 at 0:20

2 Answers
2

Bluetooth devices have MAC addresses in a similar vein to 802.11X wireless cards and 802.3 ethernet cards. You could periodically scan for the presence of a known MAC address. There are nominally 2^48 (281474976710656) possible such addresses but as with ethernet cards the first 24 bits will be reserved for a manufacturer, so if an attacker has observed your phone, then there are only 16777216 possible combinations for a known manufacturer. Given that it is possible to have the same number of manufacturers (16777216) and given there probably aren't that many, the attacker only needs an assigned list of known manufacturer codes to greatly reduce a brute force.

If your device has ever been bluetooth-enabled near an attacker aware that you are depending on the MAC address, then chances are high this information has again been compromised. Any OTA transmission will reveal your MAC, much as is the case for wireless access points, the only difference being the level of proximity to you that would be needed. Anyone who has ever paired with you will also have that address.

I don't honestly believe such a system adds much security in and of itself. Blunders is correct, you need additional secure link information. But if you're happy with just a number and don't care that it's about as secure as leaving your laptop in a pub with a post-it on it saying "steal me", this should be fine.

Based on the way your stating the requirements, also not knowing that much about bluetooth, I wondering if your request for authentication based on a unique signal matters.

Meaning if the signal is not passing a key via a secure layer, what is to stop that signal from just being recorded, and then played back? Or to be even more clear, if the lock on the door is not a security feature, why even lock the door at all?

I know that it's vague but there is a purpose. The security of the system is implemented another way. I'm not looking for true authentication, just if it is likely my phone. (The other layer of security would prevent anyone from wanting to spoof it or pretend its mine)
–
floatJun 5 '11 at 19:22

Sorry again to be vague on how the other half works but the criteria of my request can make sense. Lets just say in this example, someone hears a bell when my phone is detected, looks out the door, if it's me - unlocks it. (same difference)
–
floatJun 5 '11 at 19:23

@float: How is visual authentication by parties known to each other the same thing as opening the door for anyone that knows the "secret" knock? Second given how vague you're being, I would also say the following in response to "[another] layer of security would prevent anyone from wanting to spoof it", you should never deploy any security feature that would result in automated physical response; again, you're being vague, little or no reason to be if the system's implementation is really secure in my opinion.
–
blundersJun 5 '11 at 19:39

My understanding of the question (which may or may not be what @float had in mind) is that there is an authentication system with acceptable accurracy but which is expensive or vulnerable to DoS, and the problem is to protect it behind a trigger. But even under that interpretation it's hard to recommend a good trigger without knowing what the authentication system is.
–
GillesJun 6 '11 at 9:38

@Gilles: While I can't speak for nealmcb, who commented below the body of the poster's questions, an authentication system is a security feature, the poster clearly states the requested information will not be used as a security feature; aka there is nothing related to security within the request, and is at best a request on how use bluetooth to do something unrelated to security. What leads you to believe the "real" security feature, which the poster would not identify, was expensive and/or vulnerable to DoS?
–
blundersJun 6 '11 at 15:26